krb5 -- unkeyed PAC checksum handling vulnerability

Details

VuXML ID

9f971cea-03f5-11e0-bf50-001a926c7637

Discovery

2010-11-30

Entry

2010-12-09

The MIT Kerberos team reports:

MIT krb5 incorrectly accepts an unkeyed checksum for PAC
signatures.

An authenticated remote attacker can forge PACs if using a KDC that
does not filter client-provided PAC data. This can result in
privilege escalation against a service that relies on PAC contents
to make authorization decisions.